Session Tracker Feature

PAN-OS 6.0, 6.1

Details

PAN-OS 6.0 introduced a session tracker feature in the CLI command, show session id, and is displayed at the bottom line of the output of show session id <id #> as tracker stage firewall.

At various phases during packet processing, a session may close due to causes such as:

• Session denied or time out
• Dropped packets due to threat various treat conditions
• Reset by any of end hosts

The purpose of the session tracker is to feature the precise reasons for mitigation actions taken on particular sessions. The information provided may be useful for retroactive analysis and most of the time reduce need for issue reproduction, which is often not successful.

There are multiple tracker stage statuses, such as:

• Aged out - Occurs when a session closes due to aging out
• TCP FIN - Occurs when a TCP FIN is used to close half or both sides of a connection
• TCP RST - client - Occurs when the client sends a TCP reset to the server
• TCP RST - server - Occurs when the server sends a TCP reset to the client
• appid policy lookup deny - Occurs when a session matches a security policy with a deny or drop action
• mitigation tdb - Occurs when a session ends due to a threat detection
• resource limit - Occurs when a session is set to drop due to a system resource limitation such as exceeding the number of out of order packets allowed per flow or the global out of order packet queue. Many other reasons will roll up to this reason.
• host service - Traffic destined for firewall but service not allowed or enabled

Example of the show session id command with tracker stage line is shown below:

> show session id 4632

Session            4632

c2s flow:

source:      192.168.210.103 [trust]

dst:         198.172.88.58

proto:       6

sport:       4475            dport:      80

state:       INIT            type: FLOW

src user:    unknown

dst user:    unknown

pbf rule:    wt-VPNTest 1

s2c flow:

source:      198.172.88.58 [VPN]

dst:         192.168.210.103

proto:       6

sport:       80              dport:      4475

state:       INIT            type:       FLOW

src user:    unknown

dst user:    unknown

start time                    : Mon Sep  9 16:39:06 2013

timeout                       : 30 sec

total byte count(c2s)         : 1063

total byte count(s2c)         : 1461

layer7 packet count(c2s)      : 12

layer7 packet count(s2c)      : 10

[…..]

session via syn-cookies       : False

session terminated on host    : False

session traverses tunnel      : True

captive portal session        : False

ingress interface             : ethernet1/6

egress interface              : tunnel.179

session QoS rule              : N/A (class 4)

tracker stage firewall        : TCP FIN

The following command lists all the sessions that have the "tracker stage" flag enabled:

> show log traffic direction equal backward show-tracker equal yes

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

Src User            Dst User        Session Info

===============================================================================

2013/09/09 16:44:01 flash           trust           4433              192.168.210.103

TCP-logging         allow           VPN             80                74.125.239.124

                                                    TCP FIN

2013/09/09 16:44:00 incomplete      untrust         52405             10.30.6.210

allow-any           allow           untrust         135               10.30.14.212

                                                    Aged out

2013/09/09 16:40:25 ms-update       trust           4402              192.168.210.103

TCP-logging         allow           VPN             80                96.17.148.40

                                                    TCP RST – client

owner: djoksimovic